Message ID | 967b9ef1-fb36-48bf-9e6a-1b99af24c052@p183 |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2016:b0:403:3b70:6f57 with SMTP id fe22csp426791vqb; Thu, 5 Oct 2023 09:43:37 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHpdQanSVVt2yMQqvQFff0p7Ui6tr+DibZjzTHzCKtBvnhHUr2MkI/2jh4oApviBh/GXBPJ X-Received: by 2002:a17:903:41c3:b0:1c7:362f:18d5 with SMTP id u3-20020a17090341c300b001c7362f18d5mr6589336ple.18.1696524217505; Thu, 05 Oct 2023 09:43:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696524217; cv=none; d=google.com; s=arc-20160816; b=f9lbnYF+52P8en1avq/Ey6jXJR2sqpsevXbD1wwT1lqTlC3Vorh2nRj/zc3OTUr57X zXf1cwjcRC2rDUNZJG9yWEDBSSA++2Pf34KfWVYJxhGVTQ+n2jYfKutfcb7z6v0hlH8W tVOh+VkKdn3KL+OHjiXvdL38Q0zvaAUuoEaLJ4FtdNakmQwT54F45oDWSQ2X/lk1iwl+ sA+E9Z9z5kTjop2tF5x1CrFA5s4/lVO0ttFM7g/iimbpA4FWNEhjxCWrNW9dVjz0c6jY +0JY8M8vV7SpJCk8TZVqGVhJ0LPxJw8pQEhLG9ryOmg7nWOoHVtfzbPc7MtZd/cqO3jQ hqLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:cc:to:from:date:dkim-signature; bh=TVELeAMbqDGQTgb0H+LdBlcaOEIyA8bnbU3CE39csMo=; fh=AMUrveNiwEwlW/0EHnH+dhuDXrK5Ns17VnVtNbBK2oE=; b=i8nMj6beBOVudMO5DMWaHyg8gh8y18KGZqS05KoqRNhmy/joVZhwU4vpiqTWi1I5kt q5hRDGvJ/xjx8Mlqs0IaGfyiDrKB9t82Rk3aERS4P6Otqbw5JaIhOitUQtdD/d+DgfmB BHdrtw9AqqR/beebO6cZz5mZOBVv9hgV5sMDnORqOkeJwkHqK6DPkMussT2EUyKvN0Rw grAtNG2/m+u4lwzzWTYZShN7tSlWWpEzQShb8mjUJTDwLnFFX5/C0194orUHqSw1EvW1 2GkNHaTIf9SixYebmNd+pGnt/tuhG3c2SDmoYSh27wW6hOUYYahFLZjxfGzWQ1HT9rJV TB2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=hGMInpkH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id t17-20020a170902e85100b001c60636e426si1945626plg.432.2023.10.05.09.43.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Oct 2023 09:43:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=hGMInpkH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 369F58307D85; Thu, 5 Oct 2023 09:43:23 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234435AbjJEQlt (ORCPT <rfc822;ezelljr.billy@gmail.com> + 18 others); Thu, 5 Oct 2023 12:41:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232593AbjJEQkC (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Thu, 5 Oct 2023 12:40:02 -0400 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7997E4201; Thu, 5 Oct 2023 09:34:28 -0700 (PDT) Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-99c1c66876aso229592366b.2; Thu, 05 Oct 2023 09:34:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696523665; x=1697128465; darn=vger.kernel.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=TVELeAMbqDGQTgb0H+LdBlcaOEIyA8bnbU3CE39csMo=; b=hGMInpkH4KxvKoa7iTpyK7JnvV16t0CDDH7aqJuatJ5cLWrj20DXUnabz7W6JI63Jl eIdwJ+tF+IJ2G5EMHK3eCVoE5ra+4wzxdmvSogf1Tocwd8WlFPG6ScIeHe7KpQ4skOi7 ZGSxaahuHOxpdgqzbUWlwnOdtn3T+Z7+ijdQYA6ZdakHSr+Iw3/GZ0EiNTlnXRzKjq5s gCmXNqQK7/hBonvTOfvRqqKrKTFL48/a7r8G00T1MvkiBsbIBsiySxSMwd+W6UVNAyaF wvjhH5LlaZ5qUcFu2lwXgzjg8GxG+gONvGnii1fJ2aZ0T7SO1ufe9rGywKx02k5RocZ6 fEig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696523665; x=1697128465; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=TVELeAMbqDGQTgb0H+LdBlcaOEIyA8bnbU3CE39csMo=; b=ZGQQqxalqSeXPtzitibNKxxBomXTrXjjTgVQjNiWglOGQrK8B5nV+dqKg3Ck3iHS+I XzRroHQmUzdSDP7j0jwTtgt+83OLVTBR97qPA7dgXNMbSIelIi/lXIy3PYgBEqg8xa7s RKqgVjw426RuF4pKn5bAP1vBGR+ZX/yJ7SFQJK+hQl8ZLV4o5z8aN+wKh9Hx8DkcZEva mscrdq7pimOIy7ElpM4zIikV2IbLmcpjbZ0P84+DwbMr0u3JUF7OhHc7h9Iup3orqHwh GyC7KwOVOxzlbUZY8mnpdd9q9q0fV66Zocn37MF3u9gMNPqTV0uXky69liZuYosrD7gx RJSw== X-Gm-Message-State: AOJu0YyZIXRiSaxDpfplhXzXys0P2ubtynSkOBWbSpneeBBV82i4A1dQ IotRGVa47IbUKv6kaB67hA== X-Received: by 2002:a17:907:2704:b0:9ae:5492:64e with SMTP id w4-20020a170907270400b009ae5492064emr4686541ejk.25.1696523664571; Thu, 05 Oct 2023 09:34:24 -0700 (PDT) Received: from p183 ([46.53.253.206]) by smtp.gmail.com with ESMTPSA id m14-20020a1709066d0e00b00991d54db2acsm1428974ejr.44.2023.10.05.09.34.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Oct 2023 09:34:23 -0700 (PDT) Date: Thu, 5 Oct 2023 19:34:21 +0300 From: Alexey Dobriyan <adobriyan@gmail.com> To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Jiri Slaby <jirislaby@kernel.org> Cc: linux-serial@vger.kernel.org, linux-kernel@vger.kernel.org Subject: stack leak via uart_get_info() ? Message-ID: <967b9ef1-fb36-48bf-9e6a-1b99af24c052@p183> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Thu, 05 Oct 2023 09:43:23 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778934577964532581 X-GMAIL-MSGID: 1778934577964532581 |
Series |
stack leak via uart_get_info() ?
|
|
Commit Message
Alexey Dobriyan
Oct. 5, 2023, 4:34 p.m. UTC
If this check ever triggers
static int uart_get_info(struct tty_port *port, struct serial_struct *retinfo)
{
uport = uart_port_check(state);
if (!uport)
goto out;
then all those sysfs users will print stack contents to userspace.
Can it trigger while sysfs read is executing?
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---
Comments
On Thu, Oct 05, 2023 at 07:34:21PM +0300, Alexey Dobriyan wrote: > If this check ever triggers > > static int uart_get_info(struct tty_port *port, struct serial_struct *retinfo) > { > > uport = uart_port_check(state); > if (!uport) > goto out; > > then all those sysfs users will print stack contents to userspace. > > Can it trigger while sysfs read is executing? I don't think it can ever fail, we don't even check the result in other places, so it should all be fine. > Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> > --- > > --- a/drivers/tty/serial/serial_core.c > +++ b/drivers/tty/serial/serial_core.c > @@ -775,6 +775,8 @@ static int uart_get_info(struct tty_port *port, struct serial_struct *retinfo) > struct uart_port *uport; > int ret = -ENODEV; > > + *retinfo = (struct serial_struct){}; This is good (although I hate the implied memcpy), a real memset would be best to ensure that any holes are also filled. Want to do that, or want me to? thanks, greg k-h
On Thu, Oct 05, 2023 at 07:55:34PM +0200, Greg Kroah-Hartman wrote: > On Thu, Oct 05, 2023 at 07:34:21PM +0300, Alexey Dobriyan wrote: > > If this check ever triggers > > > > static int uart_get_info(struct tty_port *port, struct serial_struct *retinfo) > > { > > > > uport = uart_port_check(state); > > if (!uport) > > goto out; > > > > then all those sysfs users will print stack contents to userspace. > > > > Can it trigger while sysfs read is executing? > > I don't think it can ever fail, we don't even check the result in other > places, so it should all be fine. > > > Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> > > --- > > > > --- a/drivers/tty/serial/serial_core.c > > +++ b/drivers/tty/serial/serial_core.c > > @@ -775,6 +775,8 @@ static int uart_get_info(struct tty_port *port, struct serial_struct *retinfo) > > struct uart_port *uport; > > int ret = -ENODEV; > > > > + *retinfo = (struct serial_struct){}; > > This is good (although I hate the implied memcpy), a real memset would > be best to ensure that any holes are also filled. Want to do that, or > want me to? I don't mind memset(), but "struct serial_struct" structure has kernel pointers: unsigned char* iomem_base; so it is not shipped to userspace, so padding isn't an issue.
--- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -775,6 +775,8 @@ static int uart_get_info(struct tty_port *port, struct serial_struct *retinfo) struct uart_port *uport; int ret = -ENODEV; + *retinfo = (struct serial_struct){}; + /* * Ensure the state we copy is consistent and no hardware changes * occur as we go